Data Protection in Amazon AppStream 2.0 - Amazon AppStream 2.0

Data Protection in Amazon AppStream 2.0

Amazon AppStream 2.0 conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all the AWS services. AWS maintains control over data hosted on this infrastructure, including the security configuration controls for handling customer content and personal data. AWS customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data that they put in the AWS Cloud.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM), so that each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use TLS to communicate with AWS resources.

  • Set up API and user activity logging with AWS CloudTrail.

  • Use AWS encryption solutions, along with all default security controls within AWS services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields or metadata, such as function names and tags. Any data that you enter into metadata might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server.

For more information about data protection, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.

Encryption at Rest

AppStream 2.0 fleet instances are ephemeral in nature. After a user's streaming session is finished, the underlying instance and its associated Amazon Elastic Block Store (Amazon EBS) volume are terminated. In addition, AppStream 2.0 periodically recycles unused instances for freshness.

When you enable application settings persistence or home folders for your users, the data that is generated by your users and stored in Amazon Simple Storage Service buckets is encrypted at rest. AWS Key Management Service is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses AWS Managed CMKs to encrypt your Amazon S3 object data.

Encryption in Transit

The following table provides information about how data is encrypted in transit. Where applicable, other data protection methods for AppStream 2.0 are also listed.

Data Network path How protected

Web assets

This traffic includes assets such as images and JavaScript files.

Between AppStream 2.0 users and AppStream 2.0

Encrypted using TLS 1.2
Pixel and related streaming traffic Between AppStream 2.0 users and AppStream 2.0

Encrypted using 256-bit Advanced Encryption Standard (AES-256)

Transported using TLS 1.2

API traffic Between AppStream 2.0 users and AppStream 2.0

Encrypted using TLS 1.2

Requests to create a connection are signed using SigV4

Application settings and home folder data generated by users

Applicable when application settings persistence and home folders are enabled.

Between AppStream 2.0 users and Amazon S3 Encrypted using Amazon S3 SSL endpoints
AppStream 2.0-managed traffic

Between AppStream 2.0 streaming instances and:

  • AppStream 2.0 management services

  • AWS services and resources in your AWS account

  • Non-AWS services and resources (such as Google Drive and Microsoft OneDrive)

Encrypted using TLS 1.2

Requests to create a connection are signed using SigV4 where applicable